enforce RFC 7230 no-whitespace in header field name rule if MHD_USE_PEDANTIC_CHECKS is set

author: Christian Grothoff <christian@grothoff.org> 2017-04-23 20:07:10 +0200
committer: Christian Grothoff <christian@grothoff.org> 2017-04-23 20:07:10 +0200
commit: e95ec4874da57b153ecea27fa553ae8a19b4a280 (patch)
tree: afbd7a561a26bdcc30e7876a46f613fbb4b7700d
parent: ef49636130061c379821d60c58ef51468bf9e039 (diff)
download: libmicrohttpd-e95ec4874da57b153ecea27fa553ae8a19b4a280.tar.gz
libmicrohttpd-e95ec4874da57b153ecea27fa553ae8a19b4a280.zip
4 files changed, 22 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index b47afd26..c4b8e52b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Sun Apr 23 20:05:44 CEST 2017
+        Enforce RFC 7230's rule on no whitespace in HTTP header
+        field names if MHD_USE_PEDANTIC_CHECKS is set. -CG
 Sun Apr 23 19:20:33 CEST 2017
        Replace remaining occurences of sprintf() with
        MHD_snprintf_(). Thanks to Ram for pointing this out. -CG
diff --git a/src/examples/minimal_example.c b/src/examples/minimal_example.c
index b6e5edc3..c5796fc8 100644
--- a/src/examples/minimal_example.c
+++ b/src/examples/minimal_example.c
@@ -68,7 +68,7 @@ main (int argc, char *const *argv)
      return 1;
    }
  d = MHD_start_daemon (// MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
-                        MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
+                        MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_PEDANTIC_CHECKS | MHD_USE_ERROR_LOG,
                        // MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG | MHD_USE_POLL,
                        // MHD_USE_THREAD_PER_CONNECTION | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG | MHD_USE_POLL,
                        // MHD_USE_THREAD_PER_CONNECTION | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
diff --git a/src/microhttpd/connection.c b/src/microhttpd/connection.c
index da54bf1a..cbac8447 100644
--- a/src/microhttpd/connection.c
+++ b/src/microhttpd/connection.c
@@ -2213,6 +2213,22 @@ process_header_line (struct MHD_Connection *connection,
                              _("Received malformed line (no colon). Closing connection.\n"));
      return MHD_NO;
    }
+  if (0 != (MHD_USE_PEDANTIC_CHECKS & connection->daemon->options))
+    {
+      /* check for whitespace before colon, which is not allowed
+         by RFC 7230 section 3.2.4; we count space ' ' and
+         tab '\t', but not '\r\n' as those would have ended the line. */
+      const char *white;
+      white = strchr (line, ' ');
+      if ( (NULL != white) &&
+           (white < colon) )
+        return MHD_NO;
+      white = strchr (line, '\t');
+      if ( (NULL != white) &&
+           (white < colon) )
+        return MHD_NO;
+    }
  /* zero-terminate header */
  colon[0] = '\0';
  colon++;                      /* advance to value */
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
index 8b219296..7ade4542 100644
--- a/src/microhttpd/digestauth.c
+++ b/src/microhttpd/digestauth.c
@@ -413,7 +413,7 @@ check_nonce_nc (struct MHD_Connection *connection,
    {
      /* Fresh nonce, reinitialize array */
      strcpy (nn->nonce,
-              nonce);
+              nonce);
      nn->nc = 0;
      nn->nmask = 0;
      MHD_mutex_unlock_chk_ (&daemon->nnc_lock);
author	Christian Grothoff <christian@grothoff.org>	2017-04-23 20:07:10 +0200
committer	Christian Grothoff <christian@grothoff.org>	2017-04-23 20:07:10 +0200
commit	e95ec4874da57b153ecea27fa553ae8a19b4a280 (patch)
tree	afbd7a561a26bdcc30e7876a46f613fbb4b7700d
parent	ef49636130061c379821d60c58ef51468bf9e039 (diff)
download	libmicrohttpd-e95ec4874da57b153ecea27fa553ae8a19b4a280.tar.gz libmicrohttpd-e95ec4874da57b153ecea27fa553ae8a19b4a280.zip